OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <stdint.h> | 5 #include <stdint.h> |
6 #include <algorithm> | 6 #include <algorithm> |
7 | 7 |
8 #include "base/base64.h" | 8 #include "base/base64.h" |
9 #include "base/sha1.h" | 9 #include "base/sha1.h" |
10 #include "base/strings/string_piece.h" | 10 #include "base/strings/string_piece.h" |
(...skipping 134 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
145 // values for its predictable fields. | 145 // values for its predictable fields. |
146 EXPECT_EQ(0, max_age.InSeconds()); | 146 EXPECT_EQ(0, max_age.InSeconds()); |
147 EXPECT_FALSE(include_subdomains); | 147 EXPECT_FALSE(include_subdomains); |
148 } | 148 } |
149 | 149 |
150 static void TestBogusPinsHeaders(HashValueTag tag) { | 150 static void TestBogusPinsHeaders(HashValueTag tag) { |
151 base::TimeDelta max_age; | 151 base::TimeDelta max_age; |
152 bool include_subdomains; | 152 bool include_subdomains; |
153 HashValueVector hashes; | 153 HashValueVector hashes; |
154 HashValueVector chain_hashes; | 154 HashValueVector chain_hashes; |
155 std::string report_uri; | |
155 | 156 |
156 // Set some fake "chain" hashes | 157 // Set some fake "chain" hashes |
157 chain_hashes.push_back(GetTestHashValue(1, tag)); | 158 chain_hashes.push_back(GetTestHashValue(1, tag)); |
158 chain_hashes.push_back(GetTestHashValue(2, tag)); | 159 chain_hashes.push_back(GetTestHashValue(2, tag)); |
159 chain_hashes.push_back(GetTestHashValue(3, tag)); | 160 chain_hashes.push_back(GetTestHashValue(3, tag)); |
160 | 161 |
161 // The good pin must be in the chain, the backup pin must not be | 162 // The good pin must be in the chain, the backup pin must not be |
162 std::string good_pin = GetTestPin(2, tag); | 163 std::string good_pin = GetTestPin(2, tag); |
163 std::string good_pin_unquoted = GetTestPinUnquoted(2, tag); | 164 std::string good_pin_unquoted = GetTestPinUnquoted(2, tag); |
164 std::string backup_pin = GetTestPin(4, tag); | 165 std::string backup_pin = GetTestPin(4, tag); |
165 | 166 |
166 EXPECT_FALSE(ParseHPKPHeader(std::string(), chain_hashes, &max_age, | 167 EXPECT_FALSE(ParseHPKPHeader(std::string(), chain_hashes, &max_age, |
167 &include_subdomains, &hashes)); | 168 &include_subdomains, &hashes, &report_uri)); |
168 EXPECT_FALSE(ParseHPKPHeader(" ", chain_hashes, &max_age, | 169 EXPECT_FALSE(ParseHPKPHeader(" ", chain_hashes, &max_age, |
169 &include_subdomains, &hashes)); | 170 &include_subdomains, &hashes, &report_uri)); |
170 EXPECT_FALSE(ParseHPKPHeader("abc", chain_hashes, &max_age, | 171 EXPECT_FALSE(ParseHPKPHeader("abc", chain_hashes, &max_age, |
171 &include_subdomains, &hashes)); | 172 &include_subdomains, &hashes, &report_uri)); |
172 EXPECT_FALSE(ParseHPKPHeader(" abc", chain_hashes, &max_age, | 173 EXPECT_FALSE(ParseHPKPHeader(" abc", chain_hashes, &max_age, |
173 &include_subdomains, &hashes)); | 174 &include_subdomains, &hashes, &report_uri)); |
174 EXPECT_FALSE(ParseHPKPHeader(" abc ", chain_hashes, &max_age, | 175 EXPECT_FALSE(ParseHPKPHeader(" abc ", chain_hashes, &max_age, |
175 &include_subdomains, &hashes)); | 176 &include_subdomains, &hashes, &report_uri)); |
176 EXPECT_FALSE(ParseHPKPHeader("max-age", chain_hashes, &max_age, | 177 EXPECT_FALSE(ParseHPKPHeader("max-age", chain_hashes, &max_age, |
177 &include_subdomains, &hashes)); | 178 &include_subdomains, &hashes, &report_uri)); |
178 EXPECT_FALSE(ParseHPKPHeader(" max-age", chain_hashes, &max_age, | 179 EXPECT_FALSE(ParseHPKPHeader(" max-age", chain_hashes, &max_age, |
179 &include_subdomains, &hashes)); | 180 &include_subdomains, &hashes, &report_uri)); |
180 EXPECT_FALSE(ParseHPKPHeader(" max-age ", chain_hashes, &max_age, | 181 EXPECT_FALSE(ParseHPKPHeader(" max-age ", chain_hashes, &max_age, |
181 &include_subdomains, &hashes)); | 182 &include_subdomains, &hashes, &report_uri)); |
182 EXPECT_FALSE(ParseHPKPHeader("max-age=", chain_hashes, &max_age, | 183 EXPECT_FALSE(ParseHPKPHeader("max-age=", chain_hashes, &max_age, |
183 &include_subdomains, &hashes)); | 184 &include_subdomains, &hashes, &report_uri)); |
184 EXPECT_FALSE(ParseHPKPHeader(" max-age=", chain_hashes, &max_age, | 185 EXPECT_FALSE(ParseHPKPHeader(" max-age=", chain_hashes, &max_age, |
185 &include_subdomains, &hashes)); | 186 &include_subdomains, &hashes, &report_uri)); |
186 EXPECT_FALSE(ParseHPKPHeader(" max-age =", chain_hashes, &max_age, | 187 EXPECT_FALSE(ParseHPKPHeader(" max-age =", chain_hashes, &max_age, |
187 &include_subdomains, &hashes)); | 188 &include_subdomains, &hashes, &report_uri)); |
188 EXPECT_FALSE(ParseHPKPHeader(" max-age= ", chain_hashes, &max_age, | 189 EXPECT_FALSE(ParseHPKPHeader(" max-age= ", chain_hashes, &max_age, |
189 &include_subdomains, &hashes)); | 190 &include_subdomains, &hashes, &report_uri)); |
190 EXPECT_FALSE(ParseHPKPHeader(" max-age = ", chain_hashes, | 191 EXPECT_FALSE(ParseHPKPHeader(" max-age = ", chain_hashes, &max_age, |
191 &max_age, &include_subdomains, &hashes)); | 192 &include_subdomains, &hashes, &report_uri)); |
192 EXPECT_FALSE(ParseHPKPHeader(" max-age = xy", chain_hashes, | 193 EXPECT_FALSE(ParseHPKPHeader(" max-age = xy", chain_hashes, &max_age, |
193 &max_age, &include_subdomains, &hashes)); | 194 &include_subdomains, &hashes, &report_uri)); |
194 EXPECT_FALSE(ParseHPKPHeader(" max-age = 3488a923", | 195 EXPECT_FALSE(ParseHPKPHeader(" max-age = 3488a923", chain_hashes, |
196 &max_age, &include_subdomains, &hashes, | |
197 &report_uri)); | |
198 EXPECT_FALSE(ParseHPKPHeader("max-age=3488a923 ", chain_hashes, &max_age, | |
199 &include_subdomains, &hashes, &report_uri)); | |
200 EXPECT_FALSE(ParseHPKPHeader( | |
201 "max-ag=3488923pins=" + good_pin + "," + backup_pin, chain_hashes, | |
202 &max_age, &include_subdomains, &hashes, &report_uri)); | |
203 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923;pins=" + good_pin + "," + | |
204 backup_pin + "report-uri=\"http://foo.com\"", | |
195 chain_hashes, &max_age, &include_subdomains, | 205 chain_hashes, &max_age, &include_subdomains, |
196 &hashes)); | 206 &hashes, &report_uri)); |
197 EXPECT_FALSE(ParseHPKPHeader("max-age=3488a923 ", chain_hashes, | 207 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923" + backup_pin, chain_hashes, |
198 &max_age, &include_subdomains, &hashes)); | 208 &max_age, &include_subdomains, &hashes, |
199 EXPECT_FALSE(ParseHPKPHeader("max-ag=3488923pins=" + good_pin + "," + | 209 &report_uri)); |
200 backup_pin, | 210 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + backup_pin, chain_hashes, |
211 &max_age, &include_subdomains, &hashes, | |
212 &report_uri)); | |
213 EXPECT_FALSE(ParseHPKPHeader( | |
214 "max-aged=3488923; " + backup_pin + ";" + backup_pin, chain_hashes, | |
215 &max_age, &include_subdomains, &hashes, &report_uri)); | |
216 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin + ";" + good_pin, | |
201 chain_hashes, &max_age, &include_subdomains, | 217 chain_hashes, &max_age, &include_subdomains, |
202 &hashes)); | 218 &hashes, &report_uri)); |
203 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923" + backup_pin, | 219 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin, chain_hashes, |
204 chain_hashes, &max_age, &include_subdomains, | 220 &max_age, &include_subdomains, &hashes, |
205 &hashes)); | 221 &report_uri)); |
206 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + backup_pin, | |
207 chain_hashes, &max_age, &include_subdomains, | |
208 &hashes)); | |
209 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + backup_pin + ";" + | |
210 backup_pin, | |
211 chain_hashes, &max_age, &include_subdomains, | |
212 &hashes)); | |
213 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin + ";" + | |
214 good_pin, | |
215 chain_hashes, &max_age, &include_subdomains, | |
216 &hashes)); | |
217 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin, | |
218 chain_hashes, &max_age, &include_subdomains, | |
219 &hashes)); | |
220 EXPECT_FALSE(ParseHPKPHeader("max-age==3488923", chain_hashes, &max_age, | 222 EXPECT_FALSE(ParseHPKPHeader("max-age==3488923", chain_hashes, &max_age, |
221 &include_subdomains, &hashes)); | 223 &include_subdomains, &hashes, &report_uri)); |
222 EXPECT_FALSE(ParseHPKPHeader("amax-age=3488923", chain_hashes, &max_age, | 224 EXPECT_FALSE(ParseHPKPHeader("amax-age=3488923", chain_hashes, &max_age, |
223 &include_subdomains, &hashes)); | 225 &include_subdomains, &hashes, &report_uri)); |
224 EXPECT_FALSE(ParseHPKPHeader("max-age=-3488923", chain_hashes, &max_age, | 226 EXPECT_FALSE(ParseHPKPHeader("max-age=-3488923", chain_hashes, &max_age, |
225 &include_subdomains, &hashes)); | 227 &include_subdomains, &hashes, &report_uri)); |
226 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923;", chain_hashes, &max_age, | 228 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923;", chain_hashes, &max_age, |
227 &include_subdomains, &hashes)); | 229 &include_subdomains, &hashes, &report_uri)); |
228 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 e", chain_hashes, | 230 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 e", chain_hashes, &max_age, |
229 &max_age, &include_subdomains, &hashes)); | 231 &include_subdomains, &hashes, &report_uri)); |
230 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 includesubdomain", | 232 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 includesubdomain", |
231 chain_hashes, &max_age, &include_subdomains, | 233 chain_hashes, &max_age, &include_subdomains, |
232 &hashes)); | 234 &hashes, &report_uri)); |
235 EXPECT_FALSE(ParseHPKPHeader( | |
236 "max-age=3488923 report-uri=\"http://foo.com\"", chain_hashes, | |
237 &max_age, &include_subdomains, &hashes, &report_uri)); | |
233 EXPECT_FALSE(ParseHPKPHeader("max-age=34889.23", chain_hashes, &max_age, | 238 EXPECT_FALSE(ParseHPKPHeader("max-age=34889.23", chain_hashes, &max_age, |
234 &include_subdomains, &hashes)); | 239 &include_subdomains, &hashes, &report_uri)); |
235 EXPECT_FALSE( | 240 EXPECT_FALSE(ParseHPKPHeader( |
236 ParseHPKPHeader("max-age=243; " + good_pin_unquoted + ";" + backup_pin, | 241 "max-age=243; " + good_pin_unquoted + ";" + backup_pin, chain_hashes, |
237 chain_hashes, &max_age, &include_subdomains, &hashes)); | 242 &max_age, &include_subdomains, &hashes, &report_uri)); |
243 EXPECT_FALSE(ParseHPKPHeader( | |
244 "max-age=243; " + good_pin + ";" + backup_pin + ";report-uri=;", | |
245 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); | |
246 EXPECT_FALSE(ParseHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin + | |
247 ";report-uri=http://foo.com;", | |
248 chain_hashes, &max_age, &include_subdomains, | |
249 &hashes, &report_uri)); | |
250 EXPECT_FALSE(ParseHPKPHeader( | |
251 "max-age=243; " + good_pin + ";" + backup_pin + ";report-uri=''", | |
252 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); | |
238 | 253 |
239 // Check the out args were not updated by checking the default | 254 // Check the out args were not updated by checking the default |
240 // values for its predictable fields. | 255 // values for its predictable fields. |
241 EXPECT_EQ(0, max_age.InSeconds()); | 256 EXPECT_EQ(0, max_age.InSeconds()); |
242 EXPECT_EQ(hashes.size(), (size_t)0); | 257 EXPECT_EQ(hashes.size(), (size_t)0); |
243 } | 258 } |
244 | 259 |
245 TEST_F(HttpSecurityHeadersTest, ValidSTSHeaders) { | 260 TEST_F(HttpSecurityHeadersTest, ValidSTSHeaders) { |
246 base::TimeDelta max_age; | 261 base::TimeDelta max_age; |
247 base::TimeDelta expect_max_age; | 262 base::TimeDelta expect_max_age; |
(...skipping 150 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
398 EXPECT_EQ(expect_max_age, max_age); | 413 EXPECT_EQ(expect_max_age, max_age); |
399 EXPECT_TRUE(include_subdomains); | 414 EXPECT_TRUE(include_subdomains); |
400 } | 415 } |
401 | 416 |
402 static void TestValidPKPHeaders(HashValueTag tag) { | 417 static void TestValidPKPHeaders(HashValueTag tag) { |
403 base::TimeDelta max_age; | 418 base::TimeDelta max_age; |
404 base::TimeDelta expect_max_age; | 419 base::TimeDelta expect_max_age; |
405 bool include_subdomains; | 420 bool include_subdomains; |
406 HashValueVector hashes; | 421 HashValueVector hashes; |
407 HashValueVector chain_hashes; | 422 HashValueVector chain_hashes; |
423 std::string expect_report_uri; | |
424 std::string report_uri; | |
408 | 425 |
409 // Set some fake "chain" hashes into chain_hashes | 426 // Set some fake "chain" hashes into chain_hashes |
410 chain_hashes.push_back(GetTestHashValue(1, tag)); | 427 chain_hashes.push_back(GetTestHashValue(1, tag)); |
411 chain_hashes.push_back(GetTestHashValue(2, tag)); | 428 chain_hashes.push_back(GetTestHashValue(2, tag)); |
412 chain_hashes.push_back(GetTestHashValue(3, tag)); | 429 chain_hashes.push_back(GetTestHashValue(3, tag)); |
413 | 430 |
414 // The good pin must be in the chain, the backup pin must not be | 431 // The good pin must be in the chain, the backup pin must not be |
415 std::string good_pin = GetTestPin(2, tag); | 432 std::string good_pin = GetTestPin(2, tag); |
416 std::string good_pin2 = GetTestPin(3, tag); | 433 std::string good_pin2 = GetTestPin(3, tag); |
417 std::string backup_pin = GetTestPin(4, tag); | 434 std::string backup_pin = GetTestPin(4, tag); |
418 | 435 |
419 EXPECT_TRUE(ParseHPKPHeader( | 436 EXPECT_TRUE(ParseHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin, |
420 "max-age=243; " + good_pin + ";" + backup_pin, | 437 chain_hashes, &max_age, &include_subdomains, |
421 chain_hashes, &max_age, &include_subdomains, &hashes)); | 438 &hashes, &report_uri)); |
422 expect_max_age = base::TimeDelta::FromSeconds(243); | 439 expect_max_age = base::TimeDelta::FromSeconds(243); |
423 EXPECT_EQ(expect_max_age, max_age); | 440 EXPECT_EQ(expect_max_age, max_age); |
424 EXPECT_FALSE(include_subdomains); | 441 EXPECT_FALSE(include_subdomains); |
442 EXPECT_EQ(std::string(), report_uri); | |
425 | 443 |
426 EXPECT_TRUE(ParseHPKPHeader( | 444 EXPECT_TRUE(ParseHPKPHeader( |
427 " " + good_pin + "; " + backup_pin + " ; Max-agE = 567", | 445 "max-age=243; " + good_pin + ";" + backup_pin + "; report-uri= \"/foo\"", |
428 chain_hashes, &max_age, &include_subdomains, &hashes)); | 446 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
429 expect_max_age = base::TimeDelta::FromSeconds(567); | 447 expect_max_age = base::TimeDelta::FromSeconds(243); |
448 expect_report_uri = "/foo"; | |
430 EXPECT_EQ(expect_max_age, max_age); | 449 EXPECT_EQ(expect_max_age, max_age); |
431 EXPECT_FALSE(include_subdomains); | 450 EXPECT_FALSE(include_subdomains); |
451 EXPECT_EQ(expect_report_uri, report_uri); | |
432 | 452 |
433 EXPECT_TRUE(ParseHPKPHeader( | 453 EXPECT_TRUE(ParseHPKPHeader(" " + good_pin + "; " + backup_pin + |
434 "includeSubDOMAINS;" + good_pin + ";" + backup_pin + | 454 " ; Max-agE = 567; repOrT-URi = \"/foo\"", |
435 " ; mAx-aGe = 890 ", | 455 chain_hashes, &max_age, &include_subdomains, |
436 chain_hashes, &max_age, &include_subdomains, &hashes)); | 456 &hashes, &report_uri)); |
457 expect_max_age = base::TimeDelta::FromSeconds(567); | |
458 expect_report_uri = "/foo"; | |
459 EXPECT_EQ(expect_max_age, max_age); | |
460 EXPECT_FALSE(include_subdomains); | |
461 EXPECT_EQ(expect_report_uri, report_uri); | |
462 | |
463 EXPECT_TRUE(ParseHPKPHeader("includeSubDOMAINS;" + good_pin + ";" + | |
464 backup_pin + " ; mAx-aGe = 890 ", | |
465 chain_hashes, &max_age, &include_subdomains, | |
466 &hashes, &report_uri)); | |
437 expect_max_age = base::TimeDelta::FromSeconds(890); | 467 expect_max_age = base::TimeDelta::FromSeconds(890); |
438 EXPECT_EQ(expect_max_age, max_age); | 468 EXPECT_EQ(expect_max_age, max_age); |
439 EXPECT_TRUE(include_subdomains); | 469 EXPECT_TRUE(include_subdomains); |
440 | 470 |
441 EXPECT_TRUE(ParseHPKPHeader( | 471 EXPECT_TRUE(ParseHPKPHeader( |
442 good_pin + ";" + backup_pin + "; max-age=123;IGNORED;", | 472 good_pin + ";" + backup_pin + "; max-age=123;IGNORED;", chain_hashes, |
443 chain_hashes, &max_age, &include_subdomains, &hashes)); | 473 &max_age, &include_subdomains, &hashes, &report_uri)); |
444 expect_max_age = base::TimeDelta::FromSeconds(123); | 474 expect_max_age = base::TimeDelta::FromSeconds(123); |
445 EXPECT_EQ(expect_max_age, max_age); | 475 EXPECT_EQ(expect_max_age, max_age); |
446 EXPECT_FALSE(include_subdomains); | 476 EXPECT_FALSE(include_subdomains); |
447 | 477 |
448 EXPECT_TRUE(ParseHPKPHeader( | 478 EXPECT_TRUE(ParseHPKPHeader( |
449 "max-age=394082;" + backup_pin + ";" + good_pin + "; ", | 479 "max-age=394082;" + backup_pin + ";" + good_pin + "; ", chain_hashes, |
450 chain_hashes, &max_age, &include_subdomains, &hashes)); | 480 &max_age, &include_subdomains, &hashes, &report_uri)); |
451 expect_max_age = base::TimeDelta::FromSeconds(394082); | 481 expect_max_age = base::TimeDelta::FromSeconds(394082); |
452 EXPECT_EQ(expect_max_age, max_age); | 482 EXPECT_EQ(expect_max_age, max_age); |
453 EXPECT_FALSE(include_subdomains); | 483 EXPECT_FALSE(include_subdomains); |
454 | 484 |
455 EXPECT_TRUE(ParseHPKPHeader( | 485 EXPECT_TRUE(ParseHPKPHeader( |
456 "max-age=39408299 ;" + backup_pin + ";" + good_pin + "; ", | 486 "max-age=39408299 ;" + backup_pin + ";" + good_pin + "; ", chain_hashes, |
457 chain_hashes, &max_age, &include_subdomains, &hashes)); | 487 &max_age, &include_subdomains, &hashes, &report_uri)); |
458 expect_max_age = base::TimeDelta::FromSeconds( | 488 expect_max_age = base::TimeDelta::FromSeconds( |
459 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(39408299)))); | 489 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(39408299)))); |
460 EXPECT_EQ(expect_max_age, max_age); | 490 EXPECT_EQ(expect_max_age, max_age); |
461 EXPECT_FALSE(include_subdomains); | 491 EXPECT_FALSE(include_subdomains); |
462 | 492 |
463 EXPECT_TRUE(ParseHPKPHeader( | 493 EXPECT_TRUE(ParseHPKPHeader( |
464 "max-age=39408038 ; cybers=39408038 ; includeSubdomains; " + | 494 "max-age=39408038 ; cybers=39408038 ; includeSubdomains; " + |
465 good_pin + ";" + backup_pin + "; ", | 495 good_pin + ";" + backup_pin + "; ", |
466 chain_hashes, &max_age, &include_subdomains, &hashes)); | 496 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
467 expect_max_age = base::TimeDelta::FromSeconds( | 497 expect_max_age = base::TimeDelta::FromSeconds( |
468 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(394082038)))); | 498 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(394082038)))); |
469 EXPECT_EQ(expect_max_age, max_age); | 499 EXPECT_EQ(expect_max_age, max_age); |
470 EXPECT_TRUE(include_subdomains); | 500 EXPECT_TRUE(include_subdomains); |
471 | 501 |
472 EXPECT_TRUE(ParseHPKPHeader( | 502 EXPECT_TRUE(ParseHPKPHeader(" max-age=0 ; " + good_pin + ";" + backup_pin, |
473 " max-age=0 ; " + good_pin + ";" + backup_pin, | 503 chain_hashes, &max_age, &include_subdomains, |
474 chain_hashes, &max_age, &include_subdomains, &hashes)); | 504 &hashes, &report_uri)); |
475 expect_max_age = base::TimeDelta::FromSeconds(0); | 505 expect_max_age = base::TimeDelta::FromSeconds(0); |
476 EXPECT_EQ(expect_max_age, max_age); | 506 EXPECT_EQ(expect_max_age, max_age); |
477 EXPECT_FALSE(include_subdomains); | 507 EXPECT_FALSE(include_subdomains); |
478 | 508 |
479 EXPECT_TRUE(ParseHPKPHeader( | 509 EXPECT_TRUE(ParseHPKPHeader( |
480 " max-age=0 ; includeSubdomains; " + good_pin + ";" + backup_pin, | 510 " max-age=0 ; includeSubdomains; " + good_pin + ";" + backup_pin, |
481 chain_hashes, &max_age, &include_subdomains, &hashes)); | 511 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
482 expect_max_age = base::TimeDelta::FromSeconds(0); | 512 expect_max_age = base::TimeDelta::FromSeconds(0); |
483 EXPECT_EQ(expect_max_age, max_age); | 513 EXPECT_EQ(expect_max_age, max_age); |
484 EXPECT_TRUE(include_subdomains); | 514 EXPECT_TRUE(include_subdomains); |
485 | 515 |
486 EXPECT_TRUE(ParseHPKPHeader( | 516 EXPECT_TRUE(ParseHPKPHeader( |
487 " max-age=999999999999999999999999999999999999999999999 ; " + | 517 " max-age=999999999999999999999999999999999999999999999 ; " + |
488 backup_pin + ";" + good_pin + "; ", | 518 backup_pin + ";" + good_pin + "; ", |
489 chain_hashes, &max_age, &include_subdomains, &hashes)); | 519 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
490 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs); | 520 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs); |
491 EXPECT_EQ(expect_max_age, max_age); | 521 EXPECT_EQ(expect_max_age, max_age); |
492 EXPECT_FALSE(include_subdomains); | 522 EXPECT_FALSE(include_subdomains); |
493 | 523 |
524 EXPECT_TRUE(ParseHPKPHeader( | |
525 " max-age=999999999999999999999999999999999999999999999 ; " + | |
526 backup_pin + ";" + good_pin + "; report-uri=\"/foo\"", | |
Ryan Sleevi
2015/06/26 19:41:52
Suggestion: include a quoted URL with a ";", to ma
Ryan Sleevi
2015/06/26 19:41:52
Suggestion: Also include a > 0x7F character, which
Ryan Sleevi
2015/06/26 19:41:52
Suggestion: Also include a report-uri with an enco
estark
2015/06/26 22:42:11
Done.
estark
2015/06/26 22:42:11
I'm actually not sure what we should be doing with
estark
2015/06/26 22:42:11
Done. (It in fact wasn't tokenizing properly!)
Ryan Sleevi
2015/06/27 12:13:59
HttpUtil::Unquote handles unescaping
| |
527 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); | |
528 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs); | |
529 expect_report_uri = "/foo"; | |
530 EXPECT_EQ(expect_max_age, max_age); | |
531 EXPECT_FALSE(include_subdomains); | |
532 EXPECT_EQ(expect_report_uri, report_uri); | |
533 | |
494 // Test that parsing a different header resets the hashes. | 534 // Test that parsing a different header resets the hashes. |
495 hashes.clear(); | 535 hashes.clear(); |
496 EXPECT_TRUE(ParseHPKPHeader( | 536 EXPECT_TRUE(ParseHPKPHeader( |
497 " max-age=999; " + | 537 " max-age=999; " + backup_pin + ";" + good_pin + "; ", chain_hashes, |
498 backup_pin + ";" + good_pin + "; ", | 538 &max_age, &include_subdomains, &hashes, &report_uri)); |
499 chain_hashes, &max_age, &include_subdomains, &hashes)); | |
500 EXPECT_EQ(2u, hashes.size()); | 539 EXPECT_EQ(2u, hashes.size()); |
501 EXPECT_TRUE(ParseHPKPHeader( | 540 EXPECT_TRUE(ParseHPKPHeader( |
502 " max-age=999; " + backup_pin + ";" + good_pin2 + "; ", chain_hashes, | 541 " max-age=999; " + backup_pin + ";" + good_pin2 + "; ", chain_hashes, |
503 &max_age, &include_subdomains, &hashes)); | 542 &max_age, &include_subdomains, &hashes, &report_uri)); |
504 EXPECT_EQ(2u, hashes.size()); | 543 EXPECT_EQ(2u, hashes.size()); |
505 } | 544 } |
506 | 545 |
507 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA1) { | 546 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA1) { |
508 TestBogusPinsHeaders(HASH_VALUE_SHA1); | 547 TestBogusPinsHeaders(HASH_VALUE_SHA1); |
509 } | 548 } |
510 | 549 |
511 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA256) { | 550 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA256) { |
512 TestBogusPinsHeaders(HASH_VALUE_SHA256); | 551 TestBogusPinsHeaders(HASH_VALUE_SHA256); |
513 } | 552 } |
(...skipping 16 matching lines...) Expand all Loading... | |
530 EXPECT_TRUE( | 569 EXPECT_TRUE( |
531 state.GetStaticDomainState(domain, &static_domain_state)); | 570 state.GetStaticDomainState(domain, &static_domain_state)); |
532 EXPECT_GT(static_domain_state.pkp.spki_hashes.size(), 1UL); | 571 EXPECT_GT(static_domain_state.pkp.spki_hashes.size(), 1UL); |
533 HashValueVector saved_hashes = static_domain_state.pkp.spki_hashes; | 572 HashValueVector saved_hashes = static_domain_state.pkp.spki_hashes; |
534 | 573 |
535 // Add a header, which should only update the dynamic state. | 574 // Add a header, which should only update the dynamic state. |
536 HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA1); | 575 HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA1); |
537 HashValue backup_hash = GetTestHashValue(2, HASH_VALUE_SHA1); | 576 HashValue backup_hash = GetTestHashValue(2, HASH_VALUE_SHA1); |
538 std::string good_pin = GetTestPin(1, HASH_VALUE_SHA1); | 577 std::string good_pin = GetTestPin(1, HASH_VALUE_SHA1); |
539 std::string backup_pin = GetTestPin(2, HASH_VALUE_SHA1); | 578 std::string backup_pin = GetTestPin(2, HASH_VALUE_SHA1); |
540 std::string header = "max-age = 10000; " + good_pin + "; " + backup_pin; | 579 std::string report_uri = "http://google.com"; |
580 std::string header = "max-age = 10000; " + good_pin + "; " + backup_pin + | |
581 ";report-uri=\"" + report_uri + "\""; | |
541 | 582 |
542 // Construct a fake SSLInfo that will pass AddHPKPHeader's checks. | 583 // Construct a fake SSLInfo that will pass AddHPKPHeader's checks. |
543 SSLInfo ssl_info; | 584 SSLInfo ssl_info; |
544 ssl_info.public_key_hashes.push_back(good_hash); | 585 ssl_info.public_key_hashes.push_back(good_hash); |
545 ssl_info.public_key_hashes.push_back(saved_hashes[0]); | 586 ssl_info.public_key_hashes.push_back(saved_hashes[0]); |
546 EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info)); | 587 EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info)); |
547 | 588 |
548 // Expect the static state to remain unchanged. | 589 // Expect the static state to remain unchanged. |
549 TransportSecurityState::DomainState new_static_domain_state; | 590 TransportSecurityState::DomainState new_static_domain_state; |
550 EXPECT_TRUE(state.GetStaticDomainState( | 591 EXPECT_TRUE(state.GetStaticDomainState( |
551 domain, &new_static_domain_state)); | 592 domain, &new_static_domain_state)); |
552 for (size_t i = 0; i < saved_hashes.size(); ++i) { | 593 for (size_t i = 0; i < saved_hashes.size(); ++i) { |
553 EXPECT_TRUE(HashValuesEqual(saved_hashes[i])( | 594 EXPECT_TRUE(HashValuesEqual(saved_hashes[i])( |
554 new_static_domain_state.pkp.spki_hashes[i])); | 595 new_static_domain_state.pkp.spki_hashes[i])); |
555 } | 596 } |
556 | 597 |
557 // Expect the dynamic state to reflect the header. | 598 // Expect the dynamic state to reflect the header. |
558 TransportSecurityState::DomainState dynamic_domain_state; | 599 TransportSecurityState::DomainState dynamic_domain_state; |
559 EXPECT_TRUE(state.GetDynamicDomainState(domain, &dynamic_domain_state)); | 600 EXPECT_TRUE(state.GetDynamicDomainState(domain, &dynamic_domain_state)); |
560 EXPECT_EQ(2UL, dynamic_domain_state.pkp.spki_hashes.size()); | 601 EXPECT_EQ(2UL, dynamic_domain_state.pkp.spki_hashes.size()); |
602 EXPECT_EQ(report_uri, dynamic_domain_state.pkp.report_uri); | |
561 | 603 |
562 HashValueVector::const_iterator hash = | 604 HashValueVector::const_iterator hash = |
563 std::find_if(dynamic_domain_state.pkp.spki_hashes.begin(), | 605 std::find_if(dynamic_domain_state.pkp.spki_hashes.begin(), |
564 dynamic_domain_state.pkp.spki_hashes.end(), | 606 dynamic_domain_state.pkp.spki_hashes.end(), |
565 HashValuesEqual(good_hash)); | 607 HashValuesEqual(good_hash)); |
566 EXPECT_NE(dynamic_domain_state.pkp.spki_hashes.end(), hash); | 608 EXPECT_NE(dynamic_domain_state.pkp.spki_hashes.end(), hash); |
567 | 609 |
568 hash = std::find_if(dynamic_domain_state.pkp.spki_hashes.begin(), | 610 hash = std::find_if(dynamic_domain_state.pkp.spki_hashes.begin(), |
569 dynamic_domain_state.pkp.spki_hashes.end(), | 611 dynamic_domain_state.pkp.spki_hashes.end(), |
570 HashValuesEqual(backup_hash)); | 612 HashValuesEqual(backup_hash)); |
571 EXPECT_NE(dynamic_domain_state.pkp.spki_hashes.end(), hash); | 613 EXPECT_NE(dynamic_domain_state.pkp.spki_hashes.end(), hash); |
572 | 614 |
573 // Expect the overall state to reflect the header, too. | 615 // Expect the overall state to reflect the header, too. |
574 EXPECT_TRUE(state.HasPublicKeyPins(domain)); | 616 EXPECT_TRUE(state.HasPublicKeyPins(domain)); |
575 HashValueVector hashes; | 617 HashValueVector hashes; |
576 hashes.push_back(good_hash); | 618 hashes.push_back(good_hash); |
577 std::string failure_log; | 619 std::string failure_log; |
578 const bool is_issued_by_known_root = true; | 620 const bool is_issued_by_known_root = true; |
579 EXPECT_TRUE(state.CheckPublicKeyPins( | 621 EXPECT_TRUE(state.CheckPublicKeyPins( |
580 domain, is_issued_by_known_root, hashes, &failure_log)); | 622 domain, is_issued_by_known_root, hashes, &failure_log)); |
581 | 623 |
582 TransportSecurityState::DomainState new_dynamic_domain_state; | 624 TransportSecurityState::DomainState new_dynamic_domain_state; |
583 EXPECT_TRUE(state.GetDynamicDomainState(domain, &new_dynamic_domain_state)); | 625 EXPECT_TRUE(state.GetDynamicDomainState(domain, &new_dynamic_domain_state)); |
584 EXPECT_EQ(2UL, new_dynamic_domain_state.pkp.spki_hashes.size()); | 626 EXPECT_EQ(2UL, new_dynamic_domain_state.pkp.spki_hashes.size()); |
627 EXPECT_EQ(report_uri, dynamic_domain_state.pkp.report_uri); | |
585 | 628 |
586 hash = std::find_if(new_dynamic_domain_state.pkp.spki_hashes.begin(), | 629 hash = std::find_if(new_dynamic_domain_state.pkp.spki_hashes.begin(), |
587 new_dynamic_domain_state.pkp.spki_hashes.end(), | 630 new_dynamic_domain_state.pkp.spki_hashes.end(), |
588 HashValuesEqual(good_hash)); | 631 HashValuesEqual(good_hash)); |
589 EXPECT_NE(new_dynamic_domain_state.pkp.spki_hashes.end(), hash); | 632 EXPECT_NE(new_dynamic_domain_state.pkp.spki_hashes.end(), hash); |
590 | 633 |
591 hash = std::find_if(new_dynamic_domain_state.pkp.spki_hashes.begin(), | 634 hash = std::find_if(new_dynamic_domain_state.pkp.spki_hashes.begin(), |
592 new_dynamic_domain_state.pkp.spki_hashes.end(), | 635 new_dynamic_domain_state.pkp.spki_hashes.end(), |
593 HashValuesEqual(backup_hash)); | 636 HashValuesEqual(backup_hash)); |
594 EXPECT_NE(new_dynamic_domain_state.pkp.spki_hashes.end(), hash); | 637 EXPECT_NE(new_dynamic_domain_state.pkp.spki_hashes.end(), hash); |
(...skipping 166 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
761 ssl_info)); | 804 ssl_info)); |
762 | 805 |
763 // The old pins must still exist. | 806 // The old pins must still exist. |
764 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); | 807 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); |
765 EXPECT_TRUE(state.CheckPublicKeyPins("example.com", is_issued_by_known_root, | 808 EXPECT_TRUE(state.CheckPublicKeyPins("example.com", is_issued_by_known_root, |
766 ssl_info.public_key_hashes, | 809 ssl_info.public_key_hashes, |
767 &failure_log)); | 810 &failure_log)); |
768 } | 811 } |
769 | 812 |
770 }; // namespace net | 813 }; // namespace net |
OLD | NEW |